Tunnel interface for securing traffic over a network

ABSTRACT

Methods and systems for a flexible, scalable hardware and software platform that allows a managed security service provider to easily provide security services to multiple customers is provided. According to one embodiment, a request to establish an IP connection between two locations of a subscriber is received at a service management system (SMS) of the service provider. A tunnel is established between service processing switches coupled in communication through a public network. First and second packet routing nodes within the service processing switches are associated with the first and second locations, respectively. An encryption configuration decision is bound with a routing configuration of the packet routing nodes, by, when the request is to establish a secure IP connection, configuring, the packet routing nodes to cause all packets transmitted to the other location to be encrypted and to cause all packets received from the other location to be decrypted.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.09/952,520, filed Sep. 13, 2001, which claims the benefit of priority ofU.S. Provisional Patent Application No. 60/232,516, filed Sep. 13, 2000and U.S. Provisional Patent Application No. 60/232,577, filed on Sep.13, 2000, all of which are hereby incorporated by reference in theirentirety for all purposes.

COPYRIGHT NOTICE

Contained herein is material that is subject to copyright protection.The copyright owner has no objection to the facsimile reproduction ofthe patent disclosure by any person as it appears in the Patent andTrademark Office patent files or records, but otherwise reserves allrights to the copyright whatsoever. Copyright© 2000-2012, Fortinet, Inc.

BACKGROUND

1. Field

Embodiments of the present invention generally relate to the field ofInternet processors. In particular, embodiments of the present inventionrelate to methods and apparatus for delivering security services, suchas firewalls.

2. Description of the Related Art

The service provider game has grown extremely crowded and fiercelycompetitive, with numerous players offering similar products andservices. While having a large number of comparable services is arguablybeneficial to the enterprise, it poses a host of potentially disastrousconsequences for a service provider. If all competitors in a givenmarket are offering services that are indistinguishable by the customerbase, the burden of differentiation falls squarely on cost, with theleast-cost competitor emerging “victorious”. Jockeying for thecost-leader position rapidly drives down service pricing, reducingmargins to rubble and rendering the service a commodity. Furthermore,numerous offerings that are similar in attributes and cost make it verydifficult to lock in customers.

Operational costs also present a significant challenge to serviceproviders. Cumbersome, manual provisioning processes are the primaryculprits. Customer orders must be manually entered and processed throughnumerous antiquated back-end systems that have been pieced together.Once the order has been processed, a truck roll is required for onsiteinstallation and configuration of Customer Premises Equipment (CPE), aswell as subsequent troubleshooting tasks. This is a slow and expensiveprocess that cuts into margins and forces significant up-front chargesto be imposed on the customer. In order to be successful in today'smarket, service providers must leverage the public network to offerhigh-value, differentiated services that maximize margins whilecontrolling capital and operational costs. These services must berapidly provisioned and centrally managed so that time-to-market and,more importantly, time-to-revenue are minimized. Traditional methods ofdata network service creation, deployment, and management presentsignificant challenges to accomplishing these goals, calling for a newnetwork service model to be implemented.

Basic Internet access, a staple of service provider offerings, has beencommoditized to the point that margins are nearly non-existent. Thisfact has driven service providers to look for new value-added featuresand services to layer over basic connectivity so that they are able todifferentiate on factors other than cost. The most significantopportunity for differentiation is found in managed network services.Managed network services enable enterprise IT organizations to outsourcetime-consuming tactical functions so that they can focus strategic corebusiness initiatives.

Enterprise customers are now demanding cost-effective, outsourcedconnectivity and security services, such as Virtual Private Networks(VPNs) and managed firewall services. Enterprise networks are no longersegregated from the outside world; IT managers are facing mountingpressure to connect disparate business units, satellite sites, businesspartners, and suppliers to their corporate network, and then to theInternet. This raises a multitude of security concerns that are oftenbeyond the core competencies of enterprise IT departments. To compoundthe problem, skilled IT talent is an extremely scarce resource. Serviceproviders, with expert staff and world-class technology and facilities,are well positioned to deliver these services to enterprise customers.

While IT managers clearly see the value in utilizing managed networkservices, there are still barriers to adoption. Perhaps the mostsignificant of these is the fear of losing control of the network to theservice provider. In order to ease this fear, a successful managednetwork service offering must provide comprehensive visibility to thecustomer, enabling them to view configurations and performancestatistics, as well as to request updates and changes. Providing ITmanagers with powerful Customer Network Management (CNM) tools bolstersconfidence in the managed network service provider and can actuallystreamline the service provisioning and maintenance cycle.

Customer Premises Equipment (CPE)-Based Managed Firewall Services

Data network service providers have traditionally rolled out managednetwork service offerings by deploying specialized CPE devices at thecustomer site. This CPE is either a purpose-built network appliancethat, in addition to providing specific service features, may also servesome routing function, or a mid to high-end enterprise-class serverplatform, typically UNIX-based. In the case of a managed firewallsolution, the CPE device provides services that may include VPN tunneltermination, encryption, packet filtering, access control listings, andlog files. The CPE at each customer site is aggregated at a multiplexervia leased lines and/or public Frame Relay PVCs (permanent virtualcircuits) at the service provider POP (point of presence), then into ahigh-end access router and across the WAN (wide area network).

In many cases, service providers and enterprise customers find it tooexpensive and cumbersome to deploy CPE-based security at every site, butrather deploy secure Internet access points at one or two of the largestcorporate sites. In this model, all remote site Internet traffic isbackhauled across the WAN to the secure access point and then out ontothe Internet, resulting in increased traffic on the corporate networkand performance sacrifices.

Service providers face significant challenges when deploying, managingand maintaining CPE-based managed firewall services. When a customerexpresses interest in utilizing such a service, a consultation withexperienced security professionals is required to understand thecorporate network infrastructure and site-specific securityrequirements, yielding a complex set of security policies. This may beaccomplished through a set of conference calls or a number of on-sitevisits. Once the security requirements and policies have beenidentified, the service provider must procure the CPE device. In somecases, the equipment vendor may provide some level of pre-configurationbased upon parameters supplied by the service provider. While CPEvendors are driving towards delivering fully templatized, pre-configuredsystems that are plug-and-play by enterprise staff, most serviceproviders still assume the responsibility for on-site, hands-onconfiguration, and a truck-roll to each of the customer sites isnecessary. This is particularly true in server-based CPE systems, wherea relatively high degree of technical sophistication and expertise isrequired to install and configure a UNIX-based system.

Typically, a mid-level hardware and security specialist is sent onsite,along with an account manager, to complete the CPE installation andconfiguration. This specialist may be a service provider employee or asystems integrator/Value-Added Reseller (VAR) who has been contracted bythe service provider to complete CPE rollout. This complex processbegins with physical integration of the CPE device into the customernetwork. In the case of a CPE appliance, where the OS and firewall/VPNsoftware components have been pre-loaded, the tech can immediatelyproceed to the system configuration phase. Server-based CPE services,however, require the additional time-consuming step of loading thesystem OS and software feature sets, adding a further degree ofcomplexity.

In the configuration phase, the tech attempts to establish contactbetween the CPE device and central management system at the serviceprovider NOC (network operations center). In cases where the device hasnot been previously assigned an IP address, an out-of-band signalingmechanism is required to complete the connection, typically a modem anda plain old telephone service (POTS) line. If the integration processhas been successful, NOC staff should be able to take over the process,pushing specific policy configurations (and possibly an IP address) downto the CPE device through a browser-driven management interface. Thisentire process must be repeated for every enterprise site utilizing themanaged-firewall service.

Additionally, maintenance processes and costs for CPE-based managedfirewall services can also be overwhelming to both the service providerand enterprise customers. Enterprises are forced to either keep coldspares onsite or be faced with periods of absent security when theirfirewall fails, a situation that is unacceptable to most of today'sinformation intensive corporations. Service providers must have aninventory of spares readily available, as well as staff resources thatcan, if necessary, go onsite to repeat the system configuration process.Troubleshooting thousands of CPE devices that have been deployed atcustomer sites is an extremely formidable challenge, requiring extensivecall center support resources, as well technicians that can be quicklydeployed onsite.

As CPE-based firewall services have traditionally been deployed inprivate enterprise networks, the original management systems for thesedevices have difficulty scaling up to manage several large, multi-siteservice provider customers. CPE device vendors are scrambling to ramp upthese systems to carrier-grade and scale. Firewall management systemsare typically GUI-based (graphical user interface-based), browser-driveninterfaces that run on industrial grade UNIX platforms in the serviceprovider NOC. The management system interfaces with the CPE devicesbased on IP address. The CPE-based managed firewall model faces serviceproviders with another issue: capital costs. In addition to thesignificant costs required to build out a POP/access infrastructure,including multiplexers and high-capacity access routers, the serviceprovider must also assume the initial costs of the CPE device, includingfirewall and VPN software licensing charges. In many cases, these costsare passed on to the customer. This creates steep up-front costs that,coupled with per-site installation charges, can present a seriousbarrier to service adoption. In markets where several service providersare offering managed firewall services, a service provider may absorbthe CPE cost to obtain a price leadership position, cutting deeply intomargins.

The CPE-based model is also limited when rolling out services beyond themanaged firewall offering. New services, such as intrusion detection,may require additional hardware and/or software. This results in highercapital costs, as well as another expensive truck roll.

There is also a performance penalty in conventional IP-SEC-mode(Internet protocol secure mode) transmissions, in that each packet goingthrough must be examined at the sending end of a transmission todetermine whether it must be encrypted, and then each packet at thereceiving end of the transmission to determine whether it must bedecrypted.

Thus, there is a need for a method and apparatus of delivering a varietyof network services, for example, security services, such as firewalls,and secure transmission of data across a network, such as the Internet.

SUMMARY

Methods and systems are described for a flexible, scalable hardware andsoftware platform that allows a service provider to easily provideInternet services, virtual private network services, firewall servicesand the like to multiple customers. According to one embodiment, amethod is provided for establishing a secure IP connection between twolocations of a subscriber of a managed security service provider. Arequest to establish an IP connection between a first location of thesubscriber and a second location of the subscriber is received at aservice management system (SMS) of the managed security serviceprovider. A tunnel is established between a first service processingswitch of the managed security service provider and a second serviceprocessing switch of the managed security service provider coupled incommunication with the first service processing switch through a publicnetwork. A first packet routing node within the first service processingswitch is associated with the first location. A second packet routingnode within the second service processing switch is associated with thesecond location. An encryption configuration decision associated withthe request is bound with a routing configuration of the first packetrouting node, by, when the request is to establish a secure IPconnection, configuring, the first packet routing node (i) to cause allpackets transmitted from the first location to the second location to beencrypted prior to transmission through the public network and (ii) tocause all packets received from the second location to be decryptedafter transmission through the public network. The encryptionconfiguration decision is bound with a routing configuration of thesecond packet routing node, by, when the request is to establish asecure IP connection, configuring, the second packet routing node (i) tocause all packets transmitted from the second location to the firstlocation to be encrypted prior to transmission through the publicnetwork and (ii) to cause all packets received from the first locationto be decrypted after transmission through the public network.

Other features of embodiments of the present invention will be apparentfrom the accompanying drawings and from the detailed description thatfollows.

BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments of the present invention are illustrated by way of example,and not by way of limitation, in the figures of the accompanyingdrawings and in which like reference numerals refer to similar elementsand in which:

FIG. 1 is a block diagram of a system having a plurality of ISP boxesconnected to the Internet in accordance with an embodiment of thepresent invention.

FIG. 2 is a block diagram a service provider network in accordance withan embodiment of the present invention.

FIG. 3 is a block diagram of an IP service delivery platform inaccordance with an embodiment of the present invention.

FIG. 4 is a block diagram of a system providing a plurality of virtualprivate networks in accordance with an embodiment of the presentinvention.

FIG. 5 is a block diagram of a ring-network hardware platform inaccordance with an embodiment of the present invention.

FIG. 6 is a block diagram of a service processing switch in accordancewith an embodiment of the present invention.

FIG. 7 is a block diagram of an integrated system including conventionalexisting network elements in accordance with an embodiment of thepresent invention.

FIG. 8 is a block diagram of hardware elements and software elements inaccordance with an embodiment of the present invention.

FIG. 9 is a block diagram of a multiprocessor system using a ringnetwork in accordance with an embodiment of the present invention.

FIG. 10 shows a block diagram of a system for comparison.

FIG. 11 shows a block diagram of a system for comparison.

FIG. 12 shows a block diagram of a system for comparison.

FIG. 13 shows a block diagram of a system for comparison.

FIG. 14 shows a block diagram of a system in accordance with anembodiment of the present invention.

FIG. 15 shows a block diagram a system in accordance with an alternativeembodiment of the present invention.

DETAILED DESCRIPTION

Methods and systems are described for a flexible, scalable hardware andsoftware platform that allows a service provider to easily provideInternet services, virtual private network services, firewall servicesand the like to a plurality of customers.

In the following detailed description of the preferred embodiments,reference is made to the accompanying drawings that form a part hereof,and in which are shown by way of illustration specific embodiments inwhich the invention may be practiced. It is understood that otherembodiments may be utilized and structural changes may be made withoutdeparting from the scope of the present invention.

The leading digit(s) of reference numbers appearing in the Figuresgenerally corresponds to the Figure number in which that component isfirst introduced, such that the same reference number is used throughoutto refer to an identical component which appears in multiple Figures.Signals and connections may be referred to by the same reference numberor label, and the actual meaning will be clear from its use in thecontext of the description.

In some embodiments, the present invention deploys one or more virtualprivate networks (VPNs) running on one or more carrier-class platformsthat scale to provide cost-effective solutions for Internet serviceproviders (ISPs). In particular, security services such as firewalls canbe provided by the ISPs for services they provide to their customers,wherein a plurality of customers are hosted on a single network ofprocessors. An ISP is providing hosting services (e.g., hosting anInternet web site for a customer) and routing (moving data to and fromthe Internet) for their customers.

FIG. 1 shows a system 100 that includes a plurality of similar ISP(Internet service provider) boxes 110 connected to the Internet 99 inaccordance with an embodiment of the present invention. In thisembodiment, each box 110 represents a subsystem having routing servicesprovided by a block called access router 111, and hosting servicesprovided by blocks 113 and 114. The ISP is typically a company thatprovides Internet services (such as connectivity to the Internet, aswell as servers that store data and provide data according to requestsby users, and network connectivity to users) to a plurality of customersincluding customer A and customer B. In some embodiments, customerpremises equipment 117 and 118 (also called CPE 117 and 118, this ishardware and the software that controls the hardware, that is installedat the customer's premises; this can include servers, routers andswitches, and the network connecting to individual user's workstations,and various interfaces to external communications networks) is used toprovide at least a portion of the function to support customers A and Brespectively, and the ISP 110 provides the rest in blocks 113 and 114respectively. The function to support customers includes such things asweb site hosting, database and other servers, e-mail services, etc. Thecustomer's CPE 117 and 118 connect to the ISP through, e.g., accessrouter 111 and security services 112 to customer A site one 113 andcustomer B site one 114, and also to the Internet 99 in a manner thatisolates customer A and customer B from one another except forcommunications and E-mail that would normally pass across the Internet99.

Further, by establishing secure connections between two ISP boxes 110across the Internet 99, a virtual private network or VPN 410 (see FIG. 4below) can be created. This function allows, for example, customer A'soffice at a first site (e.g., headquarters 117) to connect seamlessly tocustomer A's office at a second site (e.g., branch office 119) usingwhat appears to them as a private network, but which actually includessome CPE at site 117, some services 113 provided within ISP 110.1, asecure encrypted connection across Internet 99, some services also inISP 110.2, and some CPE at site 119. Users at sites 117 and 119 cancommunicate with one another and share data and servers as if they wereon a single private network provided by, e.g., VPN 410.

FIG. 2 is a block diagram of a service provider (SP) network 200 inaccordance with an embodiment of the present invention. A conventionalnetwork “cloud” 98 includes the SP's Internet protocol (IP) orasynchronous transfer mode (ATM) core, as is well known in the Internetart. IP system 201 connects to such existing infrastructure 98, as wellas to other optional conventional hardware such as described in FIG. 2below, to provide SP network 200. IP System 201 provides hardware 230and software 220 to provide a plurality of virtual routers (VRs) 210.Each VR 210 provides support for router services and server servicessuch as those that provide customer site services 113 of FIG. 1. Each VR210 is supported by an object group 211, which is a group of generallydissimilar objects such as routing object 212, packet filtering object213, firewall object 212, network address translation (NAT) object 215,and/or other objects. In some embodiments, each VR 210 is a separateinstantiation.

In some embodiments, software 220 includes IP network operating system(IPNOS) 223, service management system (SMS) 221 (e.g., in someembodiments, this is the Invision™ software from CoSine CommunicationsInc., assignee of the present invention), and customer networkmanagement system (CNMS) 222 (e.g., in some embodiments, this is theIngage™ software from CoSine Communications Inc., assignee of thepresent invention). SMS 221 provides such services as configuration ofblades 239, defining subscribers, determining services, and generationof IP security (IPSec) public/private key pairs. CNMS 222 provides suchservices as providing subscribers (customers) visibility to services. Insome embodiments, CNMS software runs at least in part in a user's CPE orworkstation, typically at a company's information services (IS)headquarters.

In some embodiments, IP server switch (IPSX) hardware 230 includes oneor more scalable hardware enclosures, each having a plurality of service“blades” 239 (i.e., an insertable and removable printed circuit cardhaving one or more processors, each having its own CPU and memory) eachconnected in a ring configuration (such as a counter-rotating dual ring232). In some embodiments, three types of blades 239 are provided:control blade(s) 234, processor blade(s) 236, and access blade(s) 238.IPSX hardware also includes highly available, redundant, andhot-swappable hardware support 240 including power supplies 241 and fans242.

FIG. 3 is a block diagram of an IP service delivery platform (IPSDP) 300in accordance with an embodiment of the present invention. The hardwareand software of SP network 200 can be viewed as generating variousnetwork “clouds” such as edge cloud 95, access concentration cloud 96,and service processing cloud 97. These are built upon the existingconventional SP's IP or ATM core cloud 98 and they connect to theexternal Internet cloud 99. IPSDP 300 includes an ISP's SP network 200connected to one or more customer's offices 301 each of which includessome amount of CPE 110. In the embodiment shown, three corporate remoteoffices 301.1 are connected to SP network 200 using various conventionalcommunications devices, well known to the art, such as frame relayswitch 326, M13 multiplexor (mux) 327, DSLAM (digital subscriber linkaccess multiplexor) 328, and dial-up RAS (remote access server) 329(used to receive dial-up connections, for example, from the modem 311connected to laptop computer 316 in portable system 310 of dial-uptelecommuter 301.3). In the embodiment shown, SP network 200 includestwo systems 201, on connecting through frame relay switch 326, M13multiplexor (mux) 327, DSLAM 328, and dial-up RAS 329 to remote office'sCPE 110, and the other connecting directly to the customer's corporateheadquarter's CPE 1110 (which also includes a control and monitoringfunction provided by CNMS 222) using conventional communicationsprotocols such as frame relay (FR, an access standard defined by theITU-T in the 1.122 recommendation “Framework for Providing AdditionalPacket Mode Bearer Services”), Internet protocol (IP), FT1 (fractionalT1), T1/E1 (a digital transmission link with capacity of 1.544 Megabitsper second), FT3 (fractional T3), T3 (capacity of 28 T1 lines), and/orOC3 (optical carrier level 3=three times the OC1 rate of 51.840 Mbps)(each of which is a conventional communications service well known tothe art).

In some embodiments, IPDSP 300 provides a VPN 410, using secureconnections across the Internet 99, to connect remote offices 301 to oneanother.

FIG. 4 is a block diagram of a system 400 providing a plurality ofvirtual private networks 410, 420, 430, 440 in accordance with anembodiment of the present invention. VPNs 420, 430, and 440 are eachequivalent to the VPN 410 that supports subscriber 1, except that theyare for other subscribers. Each subscriber has a set of partitionedvirtual routers 210. For example, subscriber 1 has two locations, 411and 412, connected in a VPN 410. VR 210 at location 411 can include someCPE 110 as well as support provided in system 201-1. VR 210 at location412 can include some CPE 110 as well as support provided in system201-2. These two VRs 210 establish a “tunnel,” a secure connection, thatallows them to maintain secure communications that support the VPN 410even across packet networks such as the Internet 99. Each VR 210 is theequivalent of an independent hardware router. Since each VR 410 issupported by an object group 211, objects can be easily added or omittedto enable customized services on a subscriber-by-subscriber basis tomeet each subscriber's individual needs. SMS 221 running on SP network200 allows ease of service provisioning (dynamically adding additionalprocessors/processing power when needed, reducing theprocessors/processing power used for VPN 410 when not needed). In someembodiments, IPNOS 223 uses an open Application Program Interface (API)to enable new services to be added to the platform whenever needed.

In some embodiments, system 401 at a first site (e.g., an ISP premiseslocally connected to a customer office) includes IPSX 201-1 having a VR210 connected to CPE 117. This system 401 appears to the outside worldas a single router having firewall services, server(s) and user(s), etc.These functions can be provided by either or both VR 210 and CPE 117,thus allowing a customer to outsource many or most of these services tothe service provider and IPSX 201-1. Similarly, system 402 at a secondsite (e.g., another ISP premises locally connected to a remote office ofthe same customer) includes IPSX 201-2 having a VR 210 connected to CPE119. This system 402 also appears to the outside world as a singlerouter having firewall services, server(s) and user(s), etc. Thesefunctions can be provided by either or both VR 210 and CPE 119, thusallowing a customer to outsource many or most of these services to theservice provider and IPSX 201-2.

FIG. 5 is a block diagram of a ring-network hardware platform 230 inaccordance with an embodiment of the present invention. Hardwareplatform 230 includes plurality of service “blades” 239 (i.e., aninsertable and removable printed circuit card having one or moreprocessors, each having its own CPU and memory) each connected in a ringconfiguration (such as a counter-rotating dual ring 232). In someembodiments, three types of blades 239 are provided: control blade 234(not shown here), processor blades 236 (providing such functions aspoint-to-point (PPTP) connectivity, firewall protection against hacking,intruders, or accidental access), and access blades 238 (providing suchfunctions as NAT, encryption, and routing).

FIG. 6 is a block diagram of a service processing switch 600 inaccordance with an embodiment of the present invention. In someembodiments, service processing switch 600 includes a hardware enclosure230 having power supplies 241 that are hot-swappable, redundant, capableof automatic failover (when one fails, others take over), and which canbe AC or DC sourced. In some embodiments, dual hot-swappable, variablespeed fans 242 are provided. In some embodiments, software updates canbe made without system downtime by swapping out all object groups 211(virtual routers), changing the software modules, and then resumingprocessing. In some embodiments, all service blades 239 arehot-swappable (they can be removed and/or inserted without bringing thesystem down) and include automatic failover from primary mode to protectmode. In some embodiments, dual counter-rotating rings 232 supportprimary and protect redundancy. In some embodiments, system 600 providesNEBS Level 3 compliance and is Y2K ready, provides SONET (synchronousoptical network) 1+1 Line Protection Switching, and includes integratedmetallic cross-connects to enable DS3 (digital signal level 3;44,736,000 bits per second) blade automatic failover without touchingthe facility.

FIG. 7 is a block diagram of an integrated system 700 includingconventional existing network elements in accordance with an embodimentof the present invention. Integrated system 700 optionally includesconventional frame relay switch 326, M13 mux 327, Digital Subscriberlink Access Multiplexor (DSLAM) 328, and Remote Access Server (RAS) 329connecting to customer's equipment such as CPE router 110 and dial-upsystem 310. In some embodiments, integrated system 700 optionallyincludes a core IP router 720 and/or a core ATM switch as part of an SPcore 98. This provides support for a large number of conventionaltechnology standards, and interoperability with existingaccess-concentration and core-network elements. It also offersinterworking between frame-relay networks and IP networks. Networkaddress translation (NAT) enables enterprise subscribers to leave theirnetwork addressing untouched. It also enables one to merge IP and legacynetworks into one, with continuity of service (COS) guarantees.

FIG. 8 is a block diagram of hardware elements 230 and software elements220 in accordance with an embodiment of the present invention. Hardwareelements 230 include a 26-slot, two-sided chassis 831 having a22-gigabit per second (Gbps) ring midplane 832. Service blades 239 canbe hot plugged into midplane 832 form either side of chassis 831. Threetypes of service blades 239 are provided: control blades 234, processorblades 236, and access blades 238. In some embodiments, four processorsare provided on each service blade 239, each processor having a CPU andits own memory, allowing specialized processing to be performed onvarious different daughter cards of the blades 239.

In some embodiments, a single system chassis 831 provides a redundantback plane and blade-termination facilities 832. The access blades 238,processor blades 236, control blades 234, power supplies 241 and fantrays 242 are designed for hot-swappable operation—any of thesecomponents may be removed from service while the entire system remainsoperational. The metallic cross connect is a passive system thatprovides fail-over support to allow DS3 and DS1 access facilities to beswitched from one access blade to another access blade should an accessport or card fail. The phase 1 chassis provides 26 universal slots, eachof which may be populated with control blades, access blades, andprocessor blades. To operate, the chassis must contain at least onecontrol blade. Up to two control blades may be operational in a chassisat the same time. Access blades are added as input/output requirementsgrow, and processor blades are added as computation requirements scale.

In some embodiments, each system 230 supports up to twenty-fiveprocessing blades (PB) 236. Each processor blade 236 is designed tosupport three hundred Mbps of full duplex traffic while delivering IPservices including application firewall, LT2P, PPTP, NAT, VPN router.

In some embodiments, each system 230 supports up to two control blades(CB) 234. CBs 234 provide overall system supervision, IP routecalculation, software update management, and network managementstatistics logging services. When two CBs 234 are operational within achassis 831, they remain synchronized such that should either CB 234fail, the other CB 234 automatically takes over system operation. Inthis process all active services remain in progress. Each control blade234 is hot swappable, so that when proper procedures are followed, afailed or malfunctioning CB 234 may be removed from on operationalsystem 230 without bringing down any customer services.

In some embodiments, each CB 234 provides four Ethernet interfaces formanagement traffic. Each Ethernet interface has a distinct collisiondomain and may each be configured with a primary and secondary IPaddress. Ethernet interfaces designated for management use may beconfigured for primary and protected configurations, both sharing thesame IP address, reducing ISP IP address requirements. The CB 234Ethernet interfaces may be configured for fully meshed communicationsover diverse paths to diverse operating systems. Each CB 234 is alsoequipped with a random # seed generator for use in securityapplications.

In some embodiments, each system 230 supports up to twenty-five accessblades (AB) 238. Access blades 238 provide physical line termination,hardware-assisted IP forwarding, hardware assisted encryption services,and hardware assisted queue management. Each access blade 238 is hotswappable, so that when proper procedures are followed, a failed ormalfunctioning access blade may be removed from on operational system230 without bringing down any customer services. In some embodiments,10/100 Ethernet-, DS3-, and OC3-type access blades are supported bysystem 230.

FIG. 9 is a block diagram of a multiprocessor system 900 using ringnetwork 932 in accordance with an embodiment of the present invention.In some embodiments, each of two network rings 933 and 934 connect nodes931 together, where each blade 239 includes one or more nodes 931, andeach node 931 is connected to one or more processors 930. In someembodiments, each processor is a high-performance processor such as anR12K processor from MIPS Corporation. In one embodiment, each blade 239includes four nodes 931, each having one processor 930. Each processor930 includes its own CPU (central processing unit) 935 and memory 936,and optionally includes other hardware such as routers, encryptionhardware, etc. Software tasks, in some embodiments, are split up suchthat one processor operates on one part of the data (e.g., the Level 7processing) and another processor operates on another part of the data(e.g., the Level 3 processing). In other embodiments, the variousprocessing portions of a task all run on a single processor,multiprocessing with other tasks that share that processor. Thus, thehardware provides scalability, where low-end systems include fewprocessors that do all the work, and high-end systems include onehundred or more processors and the work is distributed among theprocessors for greater speed and throughput. In some embodiments, theplurality of processors 930 in the ring configuration includes formingdual counter rotating ring connections 933 and 934, each connecting toeach of the plurality of processors 930.

In some embodiments, a separate control ring 935 is provided, connectedto all processors 930. Data passed on the control ring 935 allowscontrol communications to be passed between processors, and inparticular, allows the control blade to configure and control the otherblades in IPSX 201. In other embodiments, control ring 935 is omitted,and its function is overlaid on rings 933 and 934.

Logical Queue Identifiers

In some embodiments, rings 933 and 934 are packet-passing rings. Eachpacket 950 placed in the rings includes a data portion 953 and aprocessor element identifier (PEID 951) that identifies for each node931 which processor that packet is destined for, for example a 16-bitPEID that specifies one of 65526 PEs. If the PEID matches a processor onits particular node, the node 931 passes the packet to the properprocessor 930; if not, the packet is forwarded to the next node 931. Insome embodiments, each packet also includes a logical queue identifier(LQID) that identifies a software entity (for example, an object groupfor a particular VR 210) residing on that processor 930 for which thepacket is destined.

In some embodiments, every node 931 has a unique, globally unique (i.e.,unique within an IPSX 201, or within an ISP having a plurality of IPSXs201) PEID 951. In some embodiments, the way this is done is that onetakes the blade ID (e.g., five bits) and you append the PE number, whichis, for example, a eleven bits. Put that together in some fashion andyou'll get a unique ID that is globally unique within some hardwareconfiguration. Note that packets including this PEID 951 are routable.Just by looking at the PEID 951, the system 201 has a topologicalstructure so that it can route based on purely the PEID 951. The nextthing to keep in mind is that system 201 is managing multiple virtualcontext. Each VR 210 in a system 201 is a virtual router to which packetare to be directed. When packets come into node N 931 for example,system 201 needs to be able to steer it to the appropriate logicalentity, i.e., to the appropriate context and to the object channel thatit represents. Thus, a logical queue ID 952 is appended that is uniquewithin the destination processor (PE) 930. If an object in a processor930 on node 1 930 wants to set up a channel to another object aprocessor 930 on node N 930, they need to use the LQID 952. A first LQID952 and PEID 951 together represent the local end, and a second LQID 952and PEID 951 together represent the remote end of the object and so thesystem can map the corresponding object channel, defining the objectchannel that is going across the network. From a networking perspective,PEID 951 looks like your IP address that routes packets like an IPaddress. But once you go to a particular node 931, the LQID looks likethe UDP (User Datagram Protocol, a TCP/IP protocol describing howmessages reach programs within a destination computer) code number. Sosystem 201 (e.g., SMS 221) essentially signals and negotiates the properLQID to have a channel going between those ends. This allows all thetraffic coming into a PE 930 to be steered along the appropriate objectpath to the appropriate object channel on that object.

In some embodiments, an object could be talking on another channel toanother object, or to the same object, using a different channel. Inwhich case each channel uses a different LQID 952, but the same PEID951.

In some embodiments, system 201 sets up a shortcut that circumventstraffic that otherwise would be transmitted outside system 201 and thenback in (e.g., traffic between two different VRs 210 supportingdifferent customers). To set up such a shortcut, system 201 allocates adifferent LQID 952 for the shortcut. Thus, an object channel has thenormal point-to-point path for normal traffic and has amulti-point-to-point path, which is used for shortcut traffic. So whenpackets come in to the object it knows whether the packet came in on thenormal path or on the shortcut path. Similarly, when the object wants touse a shortcut, it also needs to allocate a different LQID for itsoutbound shortcut traffic. One interesting distinction of shortcut pathsis that the normal point-to-point is bidirectional and data can flow inboth directions, but shortcuts data flow flows in only one direction. Soa receive site can have any number of transferred sites. Any number ofobjects can be transmitting to the same receive site. That is why it iscalled multi-point-to-point.

Further, some embodiments have different levels of shortcuts. Forexample, a packet can be sequentially passed to successive destinationsin some embodiments. Thus there can be a complex multistage path. Theshortcuts can trickle down to the ultimate end, where the packetcascades. Further, if one object knows a shortcut, it can tell otherobjects about its shortcut. So the other object does not have to come tothe first object and then be directed to the shortcut destination, butrather can directly use the shortcut it has learned about.

While service providers recognize the tremendous revenue potential ofmanaged firewall services, the cost of deploying, managing andmaintaining such services via traditional CPE-based methods is somewhatdaunting. Service providers are now seeking new service deliverymechanisms that minimize capital and operational costs while enablinghigh-margin, value-added public network services that are easilyprovisioned, managed, and repeated. Rolling out a network-based managedfirewall service is a promising means by which to accomplish this.Deploying an IP Service Delivery Platform in the service providernetwork brings the intelligence of a managed firewall service out of thecustomer premises and into the service provider's realm of control.

An IP Service Delivery Platform consists of three distinct components.The first is an intelligent, highly scalable IP Service ProcessingSwitch. Next is a comprehensive Service Management System (SMS) toenable rapid service provisioning and centralized system management. Thelast component is a powerful Customer Network Management (CNM) systemwhich provides enterprise customers with detailed network and serviceperformance systems, enable self-provisioning, and eases IT managersfears of losing control of managed network services.

In a network-based managed firewall service model, the service providerreplaces the high-capacity access concentration router at the POP withan IP Service Processing Switch. This is higher-capacity, more robust,and more intelligent access switch, with scalable processing up to 100+RISC CPUs. Just as with the access router, additional customer accesscapacity is added via installing additional port access blades to the IPService Processing Switch chassis. Unlike conventional access routers,however, additional processor blades are added to ensure wire-speedperformance and service processing.

The intelligence resident in the IP Service Processing Switch eliminatesthe need to deploy CPE devices at each protected customer site.Deployment, configuration, and management of the managed firewallservice all take place between the IP Service Processing Switch 230 andits Service Management System 221, which resides on a high-end UNIXplatform at the service provider NOC. The customer also has the abilityto initiate service provisioning and augmentation via a web-basedCustomer Network Management tool that typically resides at thecustomer's headquarters site. This is an entirely different servicedelivery paradigm, requiring minimal or no truck rolls or on-siteintervention.

To roll out a managed network-based firewall service, the serviceprovider's security staff provides a consultation to the enterprise,thereby gaining an understanding of the corporate network infrastructureand developing appropriate security policies (this is a similar processto the CPE model). Once this has been accomplished, the NOC securitystaff remotely accesses the IP Service Processing Switch (using theService Management System 221) at the regional POP serving theenterprise customer, and the firewall service is provisioned andconfigured remotely.

This model enables the service provider to leverage the enterprise'sexisting services infrastructure (leased lines and Frame Relay PVCs) todeliver new, value-added services without the requirement of a truckroll. All firewall and VPN functionality resides on the IP ServiceProcessing Switch at the POP, thus freeing the service provider fromonsite systems integration and configuration and effectively hiding thetechnology from the enterprise customer. Firewall inspection and accesscontrol functions, as well as VPN tunneling and encryption, take placeat the IP Service Processing Switch and across the WAN, while theenterprise's secure leased line or Frame Relay PVC (permanent virtualcircuit) access link remains in place. The customer interface is betweenits router and the IP Service Processing Switch (acting as an accessrouter), just as it was prior to the rollout of the managed firewallservice. Additionally, the customer has visibility into and control overits segment of the network via the CNM that typically resides at theheadquarters site.

TABLE 1 Comparison Between CPE-based and Network-based Managed FirewallTurn-up Processes Network-based Process CPE-based Model Model ServicePreparation Security consultation Security consultation to identifycustomer to identify customer requirements/policies,requirements/policies CPE-device(s) ordered, CPE device(s)preconfigured, CPE device(s) shipped to customer site Service RolloutSecurity technician Service provisioning deployed to site(s), and policyOS/Firewall/VPN configuration software loaded deployed from NOC(server-based model), via Service Physical network Management Systemintegration of device (SMS) - No truck roll needed. Additional ServiceRepeat above with Add configurable Deployment each additional templateto SMS and service duplicate across all service points, provision withCNM - No truck roll. Maintenance/Support Technician on phone Order withcustomer testing spares/replacement CPE and technician at from centralvendor POP testing repository - No truck equipment. Maintain rollnecessary. inventory of spare Integrate replacement units/components inunit component at service region. Ship POP. spares to customer site asneeded. Deploy technician to customer site to complete repairs ifnecessary.

The network-based firewall model also enables service providers toquickly and cost-effectively roll out managed firewall solutions at allenterprise customer sites. As a result, secure Internet access can beprovided to every site, eliminating the performance and complexityissues associated with backhauling Internet traffic across the WAN toand from a centralized secure access point.

As the IP Service Delivery Platform is designed to enable value-addedpublic network services, it is a carrier-grade system that is morerobust and higher-capacity than traditional access routers, and an orderof magnitude more scalable and manageable than CPE-based systems. Theplatform's Service Management System enables managed firewall services,as well as a host of other managed network services, to be provisioned,configured, and managed with point-and-click simplicity, minimizing theneed for expensive, highly skilled security professionals andsignificantly cutting service rollout lead-times. The Service ManagementSystem is capable of supporting a fleet of IP Service ProcessingSwitches and tens of thousands of enterprise networks, and interfaces tothe platform at the POP from the NOC via IP address. Support forincremental additional platforms and customers is added via modularsoftware add-ons. Services can be provisioned via the SMS system'ssimple point and click menus, as well as requested directly by thecustomer via the CNM system.

Deployment of a robust IP Service Delivery Platform in the carriernetwork enables service providers to rapidly turn-up high value, managednetwork-based services at a fraction of the capital and operationalcosts of CPE-based solutions. This enables service providers to gain aleast-cost service delivery and support structure. Additionally, itenables them to gain higher margins and more market share thancompetitors utilizing traditional service delivery mechanisms—even whileoffering managed firewall services at a lower customer price point.

The following embodiments explore four specific managed firewall servicedelivery architectures usable by service providers, systems integrators,and hardware/software vendors.

CPE-Based Models

Architecture One: Check Point/Nokia Appliance

This architecture employs a firewall/VPN CPE appliance, traditionalaccess router, and software-based centralized management system todeliver a managed firewall solution. The specific components of thissolution include:

-   -   1. CheckPoint/Nokia VPN-1/IP-330 appliance (50 user license) at        branch sites    -   2. CheckPoint VPN-1/Firewall-1 software module (unlimited user        license) on Sun Enterprise Ultra 250 server platform at        headquarters    -   3. Cisco 7513 access router at the service provider's POP        (redundant power, redundant RSP4)    -   4. CheckPoint Provider-1 management system at the service        provider's NOC (supports 50 customers/module) with unlimited        sites/customer on Sun Ultra 60 platform at Network Operations        Center (NOC)

FIG. 10 shows a block diagram of a system 1000 providing a ManagedFirewall Service with a CheckPoint/Nokia Appliance Solution.

Architecture Two: CheckPoint Server

This architecture employs a firewall/VPN CPE server, traditional accessrouter, and software-based centralized management system to deliver amanaged firewall solution. The specific components of this solutioninclude:

-   -   1. CheckPoint VPN-1/Firewall-1 software module (50 user license)        on Sun 5S server platform at branch sites    -   2. CheckPoint VPN-1/Firewall-1 software module (unlimited user        license) on Sun Enterprise Ultra 250 server platform at        headquarters    -   3. Cisco 7513 access router at the service provider POP        (redundant power, redundant RSP4)    -   4. CheckPoint Provider-1 management system (supports 50        customers/module) with unlimited sites/customer on Sun Ultra 60        platform at NOC

FIG. 11 shows a block diagram of a system 1100, providing a ManagedFirewall Service with a CheckPoint Firewall-1 Server-based Solution.

Architecture Three: WatchGuard Appliance Model

This architecture employs a firewall/VPN CPE appliance, traditionalaccess router, and software-based centralized management system todeliver a managed firewall solution. The specific components of thissolution include:

-   -   1. WatchGuard Firebox II Plus appliance at branch sites    -   2. Cisco 7513 access router at the service provider POP        (redundant power, redundant RSP4)    -   3. WatchGuard for MSS management system (supports 500        customers/module) with unlimited sites/customer on Compaq        Proliant 3000 Windows NT workstation platform, Event Processor        on Sun Microsystems 5S server platform

FIG. 12 shows a block diagram of a system 1200, providing a ManagedFirewall Service with a WatchGuard Appliance Solution. The CPE-basedmanaged firewall service model requires installation and configurationof system components at three network points: the service provider POP,the service provider NOC, and the customer premises.

POP Infrastructure

Each of the three CPE-based architectures explored in this analysisemploys an identical POP infrastructure. This access infrastructure isbased on the Cisco 7513 router. The base configuration for the 7513includes:

-   -   1. 13-slot chassis    -   2. IOS Service Provider system software    -   3. (2) power supplies    -   4. (2) Route Switch Processors (RSP4)    -   5. (2) RSP4 128 MB DRAM Option    -   6. (2) RSP4 20 MB Flash Card Option    -   7. 2-port Fast Ethernet Card    -   8. 64 MB DRAM Option    -   9. 8 MB SRAM Option

The RSP4 cards in this base configuration each consume one slot in thechassis, leaving 11 remaining for port adapters. An Ethernet card isadded for software uploads. Ingress traffic is supported via dual-portchannelized and/or dual-port unchannelized T3 cards (for dedicated T3connections). Each channelized T3 port can support up to 128 DSO orN.times.T1 channels Single-port OC-3 POS cards provide connectivity tothe network uplink on the egress side. These cards each occupy a singleslot. Each card requires a programmable Versatile Interface Processor(VIP2), as well as an additional 64 MB of DRAM and 8 MB of SRAM. TheVIP2 and additional memory reside on the T3/OC-3 cards and do notconsume additional slots.

As described in the assumptions, a traditional multiplexer exists ateach POP to aggregate various sub-T1 customer access links up to thechannelized T3 interfaces on the Cisco 7513 router. As the POPinfrastructure installation and configuration processes are uniformacross all managed firewall service models explored in this analysis,the costs associated with these processes will not be quantified.

Network-Based Model in Accordance with the PresentInvention—Architecture Four

IP Service Delivery Platform 300 that includes an IP Service ProcessingSwitch (IPSX 230), a Service Management System (SMS 221) and a CustomerNetwork Management System (CNMS 222).

This architecture employs an IP Service Processing Switch and asoftware-based centralized SMS to deliver a managed firewall solution.The specific components of this solution include:

-   -   1. IPSX 230 (IP Service Processing Switch) at service provider        POP    -   2. Service Management System 221 on Sun Ultra 60 server at        service provider NOC    -   3. InGage™ Customer Network Management System at the        subscriber's headquarters

FIG. 13 shows a block diagram of a system 1300 that provides a ManagedFirewall Service with CoSine's Network-based Solution in accordance withthe present invention.

FIG. 14 shows a block diagram of a system 1400 in accordance with thepresent invention. System 1400 includes a first processing system 1410and a second processing system 1420, each of which, in some embodiments,has a plurality of processors such that they can be incrementallyexpanded. In some embodiments, one or both of the first and secondprocessing systems includes one or more control processors, one or moreaccess processors, and one or more processing processors, as describedabove. In such systems, packets will be transmitted both ways, but forsimplicity of explanation, packets transmitted from system 1410 to 1420are explained. The same explanation can be applied to packets going theother direction. System 1410 includes a source of data packets 1401, andsystem 1420 has the destination 1402 for these packets. In someembodiments, one or more virtual routers 1411 (and possibly 1412 and1413) are provided in system 1410, wherein a separate virtual router canbe assigned to each of a plurality of different customers. Thus eachcustomer views the system 1410 has having only its router (e.g., virtualrouter 1411 for a first customer, virtual router 1412 for a secondcustomer, etc.) and each customer does not “see” the other virtualrouters for the other customers. These other customers would have otherpacket sources (not shown) to supply packets to their virtual routers.Similarly, in some embodiments, system 1420 includes one or more virtualrouters 1421 (and possibly 1422 and 1423), wherein a separate virtualrouter can be assigned to each of a plurality of different customers.Thus each customer views the system 1420 has having only its one router(e.g., virtual router 1421 for the first customer, virtual router 1422for another customer, etc.) and each customer does not “see” the othervirtual routers for the other customers. The IP SEC mode provides thateach transmitting virtual router examines each packet (e.g., by theencrypt-bit detection block 1414) being sent to see if it is to beencrypted or not (e.g., by examining a bit in the packet), and if sopasses the packet to encryptor 1415, which encrypts the packet using asuitable encryption method (many of which are known in the art, such asstandard public-key/private-key IP encryption). The virtual router 1411would then route the encrypted packet to virtual router 1421. Sinceencryption takes time, router 1411 typically will not encrypt everypacket, but will instead examine each packet to determine whether toencrypt or not. Similarly, virtual router 1421 will examine eachincoming packet using decrypt-detection block 1424 being received to seeif it is to be decrypted or not (e.g., by examining a bit in thepacket), and if so passes the packet to decryptor 1425, which decryptsthe packet using a suitable decryption method corresponding to theencryption method of encryptor 1415. The decrypted packets are thenrouted to the packet destination 1402. As is typical for Internet packettransmission, there may be any number of other intermediate nodes (notshown) between router 1411 and router 1421, wherein packets are receivedand sent on towards their destination by each intermediate router alongthe way. If a virtual private network (VPN) is desired between packetsource 1401 and packet destination 1402, (e.g., by forming a tunnel forthe packets) then every packet is parked as requiring encryption anddecryption for as long as the connection is maintained. In someembodiments, the detection of whether to encrypt or not, as describedjust above, is thus redundant. However, other virtual routers (e.g.,1412 and 1413) may desire to send packets that are not to be encrypted,and thus each virtual router 1411, 1412, and 1413 are configured to testeach outgoing packet, and each virtual router 1421, 1422, and 1423 areconfigured to test each ingoing packet, to determine whether or not toencrypt or decrypt.

FIG. 15 shows a block diagram of a system 1500 in accordance with analternative embodiment of the present invention. A first processingsystem 1510 includes one or more virtual routers 1511, 1512, and 1513,and a second first processing system 1520 includes one or more virtualrouters 1521, 1522, and 1523. In some embodiments, at least one of thevirtual routers 1511 does not examine each packet (i.e., to determinewhether or not to encrypt), but instead is set up as part of a tunnel,wherein all tunnel traffic is encrypted. Thus all traffic going out ofvirtual router 1511 goes to encryptor router (or node) 1515, whichencrypts all of its traffic and then routes those encrypted packets ontothe Internet, destined for decryptor router (or node) 1525. There, alltraffic is decrypted (without needing to examine each packet todetermine whether or not to decrypt), and then routed to the appropriateone of virtual routers 1521, 1522, or 1523. Traffic to virtual router1521 is then sent to packet destination 1402. Thus, in system 1500, thesetting up of the tunnel across the Internet between he packet source1401 and the packet destination 1402 includes a sending virtual router1511 which need not examine every packet, but instead inserts theencryption node or router 1515 into the path for every packet. Theencryption node 1515 simply becomes one more node along the path betweenthe source 1401 and the destination 1402. Each virtual router 1511 to1513 can share the same encryption node 1515 if it is set up to besending tunnel traffic. Those nodes not sending tunnel traffic cansimply bypass the encryption node 1515 (and those virtual routers 1513can, in some embodiments, examine each packet as described above todetermine whether or not to encrypt, or can simply assume that all itstraffic is not to be encrypted). This simplification also applies to thedecryption side in system 1520.

POP Infrastructure

The POP access infrastructure in the network-based managed firewallservice model is based on the CoSine Communications IPSX 9000 ServiceProcessing Switch. The base configuration for the switch includes:

-   -   1. 26-slot chassis    -   2. Redundant power supply    -   3. IPNOS Base Software    -   4. Ring Bridge & Ring Bridge Pass-Thru (to complete midplane)    -   5. Control Blade (for communications with Invision Services        Management System)    -   6. Dual-port Channelized DS3 Access Blade    -   7. Dual-port Unchannelized DS3 Access Blades    -   8. Processor Blade    -   9. OC-3c POS Trunk Blade

Analysis

Analysis of the four service delivery architectures for deploying amanaged firewall service reveals extremely compelling data in favor ofimplementing the network-based model based on the CoSine CommunicationsIP Service Delivery Platform. Significant advantages are gained byutilizing this model in each of the following areas:

Operational “Soft” Costs

The network-based managed firewall solution eliminates most of the steepoperational costs that are associated with deploying a CPE-basedsolution, specifically the per site truck roll and device installationcharges. The CheckPoint server-based CPE deployment and installationoperational costs alone exceed the total five-year capital equipmentinvestment required in the CoSine Communications network-based model.Though the installation and configuration costs for the POP and NOCbuild-outs are not quantified in this study due to the uniformity ofthese processes across all solutions, it is worthy to note that thegreater capacity of the CoSine IPSX 9000 Service Processing Switch andInvision Service Management System result in fewer components (switchchassis, NOC servers and software) that need to be installed andconfigured.

Time to Market, Time to Revenue

The network-based managed firewall solution enables service providers togreatly shorten the lead-time required to deploy the managed firewallservice. The removal of the CPE component from the service offeringeliminates the need to procure the device, eliminating a delay inservice rollout. This also eliminates the delay that is associated withscheduling an onsite installation.

Complexity

The network-based managed firewall solution greatly reduces thecomplexity associated with deploying the service. The number ofdistributed devices is reduced from thousands of remote customer sitesto only a few already staffed POPs, simplifying management andmaintenance significantly.

The network-based managed firewall service model creates a new source ofrevenue for service providers that is scalable, repeatable, andcost-effective. Leveraging centrally-managed services enables serviceproviders to derive greater value from the existing basic accessinfrastructure. The network-based model eliminates expensive onsiteinstallation and maintenance required of CPE-based solutions, andprovides a foundation to deploy additional value-added services via thesame delivery mechanism. Elimination of the CPE device also effectivelyhides the technology of the managed firewall solution from the customer,reducing internal network complexity and technical anxiety.

One aspect of the present invention provides a method of packet routing.The method includes connecting a plurality of processors in a network,assigning a unique processor identifier (PEID) to each of theprocessors, routing a first packet to a first one of the processorsacross the network, wherein each such packet includes a PEID valuecorresponding to a PEID of one of the processors, and wherein therouting to the first processor is based on the PEID value in the firstpacket, establishing a plurality of objects in the first processor,assigning a logical queue identifier (LQID) to a first one of theobjects in the first processor, wherein each packet also includes anLQID value corresponding to an LQID of one of the objects, and routingthe first packet to the first object based on the LQID value in thefirst packet.

Some embodiments further include assigning a plurality of differentLQIDs to the first object.

Some embodiments further include routing a plurality of packets, eachhaving a different LQID, to the first object based on the LQID value ineach respective packet.

In some embodiments, the first object is associated with a virtualrouter (VR).

Some embodiments further include establishing the first LQID with thefirst object to be used for point-to-point data traffic, andestablishing a second LQID with the first object to be used for shortcutdata traffic.

In some embodiments, the network is configured in a ring topology.

Another aspect of the present invention provides a system for routingpackets. This system includes a plurality of processors coupled to oneanother using a network, wherein each of the processors a uniqueprocessor identifier (PEID), wherein a first packet is routed into afirst one of the processors across the network, wherein each such packetincludes a PEID value corresponding to a PEID of one of the processors,and wherein the routing to the first processor is based on the PEIDvalue in the first packet, a plurality of objects in the firstprocessor, wherein each such object is assigned a logical queueidentifier (LQID), wherein each packet also includes an LQID valuecorresponding to an LQID of one of the objects, and software for routingthe first packet to the first object based on the LQID value in thefirst packet.

In some embodiments, a plurality of different LQIDs are simultaneouslyassigned to the first object.

In some embodiments, the means for routing includes means for routing aplurality of packets, each having a different LQID, to the first objectbased on the LQID value in each respective packet.

In some embodiments, the first object is associated with a virtualrouter (VR).

In some embodiments, the first LQID is associated with the first objectto be used for point-to-point data traffic, and a second LQID isassociated with the first object to be used for shortcut data traffic.

In some embodiments, the network is configured in a ring topology.

Still another aspect of the present invention provides a system forrouting packets. This system includes a plurality of processors coupledto one another using a network, wherein each of the processors a uniqueprocessor identifier (PEID), wherein a first packet is routed into afirst one of the processors across the network, wherein each such packetincludes a PEID value corresponding to a PEID of one of the processors,and wherein the routing to the first processor is based on the PEIDvalue in the first packet, and a plurality of objects in the firstprocessor, wherein each such object is assigned a logical queueidentifier (LQID), wherein each packet also includes an LQID valuecorresponding to an LQID of one of the objects, wherein the first packetis routed to the first object based on the LQID value in the firstpacket.

Some embodiments further include a services management system thatprovides changeable provisioning of processor capacity among a pluralityof customers.

Some embodiments further include a services management system thatprovides firewall protection for each of a plurality of customers.

The network-based managed firewall service model creates a new source ofrevenue for service providers that is scalable, repeatable, andcost-effective. Leveraging centrally-managed services enables serviceproviders to derive greater value from the existing basic accessinfrastructure. The network-based model eliminates expensive onsiteinstallation and maintenance required of CPE-based solutions, andprovides a foundation to deploy additional value-added services via thesame delivery mechanism. Elimination of the CPE device also effectivelyhides the technology of the managed firewall solution from the customer,reducing internal network complexity and technical anxiety.

The CoSine Communications IP Service Delivery Platform 300 enablesservice providers to reap the benefits of deploying a network-basedmanaged firewall service. The IPSX 9000 Service Processing Switch is arobust, high-availability platform that is capable of supportinghundreds of customer sites and network-based firewalls. The InVisionServices Management System is capable of rapidly provisioning andmanaging thousands of managed firewall customers throughout an extensivenationwide network, enabling service providers to leverage volumesecurity services driven by fewer staff resources. And the InGage™Customer Network Management System empowers customer IT managers to viewand augment managed network services. The IP Service Delivery Platformpositions service providers to continuously deploy new value-addedservices to their customer base, maximizing revenues and creatingcustomer lock-in.

Service providers utilizing the IP Service Delivery Platform 300 are togain a significant competitive edge in deploying high-value IP-basedservices. The CoSine Communications solution enables services providersto save on the capital costs associated with deploying a managedfirewall service over traditional CPE-based approaches. Additionally,the CoSine solution of the present invention virtually eliminates thesteep operational “soft” costs that plague the CPE approach.Furthermore, as customer numbers and bandwidth requirements increaseover time, so do the cost savings. This enables service providers togain a cost-leadership position while greatly increasing revenues.

The IP Service Delivery Platform (IPSDP 300) is an ideal solution forservice providers seeking to offer high value managed, network-basedfirewall services.

In some embodiments, a set of one or more management consultants to thenetworking industry help equipment vendors, service providers andenterprises make strategic decisions, mitigate risk and affect changethrough business and technology consulting engagements. This approach istailored to each client's specific issues, objectives and budget.

These consultants are leaders in the networking industry and influenceits direction though confidential engagements for industry leaders andthrough public appearances and trade magazine articles. Theseinteractions assure clients that they will be among the first to know ofthe latest industry concepts and emerging technology trends.

Each consulting engagement is uniquely structured-no forcedmethodologies or canned reports are employed. An integratedclient/management consultant case team respecting and soliciting theopinions of everyone is formed for each engagement.

Embodiments of the present invention provide a flexible, scalablehardware and software platform that allows a service provider to easilyprovide Internet services, virtual private network services, firewallservices, etc., to a plurality of customers. This solution can bechanges to provision each customer with more or less processing powerand storage, according to individual changing needs.

One aspect of the present invention provides a method of deliveringsecurity services. This method includes connecting a plurality ofprocessors 930 in a ring configuration within a first processing system,establishing a secure connection between the processors in the ringconfiguration across an Internet protocol (IP) connection to a secondprocessing system to form a tunnel, and providing both router servicesand host services for a customer using the plurality of processors inthe ring configuration and using the second processing system.

In some embodiments, one or more processors are operable to support acommunications network, the plurality of processors includes one or morecontrol processors, one or more access processors, and one or moreprocessing processors.

In some embodiments, for each of a plurality of customers, a virtualrouter 210 is formed in the first processing system 401 and is operablyconnected to a virtual router 210 formed in the second system 402.

In some embodiments, for each of a plurality of customers, a virtualprivate network 410 is formed using a virtual router 210 formed in thefirst processing system 401 and operably connected to a virtual router210 formed in the second system 402.

In some embodiments, the connecting a plurality of processors in thering configuration includes forming dual counter rotating ringconnections 933 and 934, each connecting to each of the plurality ofprocessors 930.

Another aspect of the present invention provides a system of deliveringsecurity services. This system 201 includes a plurality of processors230 in a ring configuration within a first processing system 401, andmeans for establishing a secure connection 418 between the processors inthe ring configuration 411 across an Internet protocol (IP) connectionto a second processing system 412 to form a tunnel, and for providingboth router services and host services for a customer using theplurality of processors in the ring configuration 411 and using thesecond processing system 412.

In some embodiments, to support a communications network, the pluralityof processors includes one or more control processors, one or moreaccess processors, and one or more processing processors.

In some embodiments, for each of a plurality of customers, a virtualrouter is formed in the first processing system and is operablyconnected to a virtual router formed in the second system.

In some embodiments of this system, for each of a plurality ofcustomers, a virtual private network is formed using a virtual routerformed in the first processing system and operably connected to avirtual router formed in the second system.

In some embodiments of this system, the plurality of processors in thering configuration includes dual counter rotating ring connections, eachconnecting to each of the plurality of processors.

Yet another aspect of the present invention provides a system 201 fordelivering security services. This second system 201 includes aplurality of processors within a first processing system connected in aring configuration, and a tunnel formed using a secure connectionbetween the processors in the ring configuration across an Internetprotocol (IP) connection to a second processing system, wherein bothrouter services and host services are provided for a customer using theplurality of processors in the ring configuration and using the secondprocessing system.

In some embodiments of this second system, to support a communicationsnetwork, the plurality of processors 930 includes one or more controlprocessors 234, one or more access processors 238, and one or moreprocessing processors 236. In some embodiments, one or more of theseprocessors is packaged on a blade 239.

In some embodiments of this second system, for each of a plurality ofcustomers, a virtual router 210 is formed in the first processing system401 and is operably connected to a virtual router 210 formed in thesecond system 402.

In some embodiments of this second system, for each of a plurality ofcustomers, a virtual private network 410 is formed using a virtualrouter 210 formed in the first processing system 401 and operablyconnected to a virtual router 210 formed in the second system 410.

In some embodiments of this second system, the plurality of processors230 in the ring configuration includes dual counter rotating ringconnections 932 and 933, each connecting to each of the plurality ofprocessors 930.

Some embodiments of this second system further include a servicesmanagement system 221 that provides changeable provisioning of processorcapacity among a plurality of customers.

Some embodiments of this second system further include a servicesmanagement system 221 that provides firewall protection for each of aplurality of customers.

Some embodiments of this second system further include a servicesmanagement system 221 that provides provisioning of processor capacityamong a plurality of customers, wherein each customer's resources areisolated from those of all the other customers.

Another aspect of the present invention provides a method of deliveringsecurity services, for example by forming a secure tunnel between asource site and a destination site. The method includes establishing afirst routing node within a first processing system, establishing asecond routing node within a second processing system, establishing afirst Internet protocol (IP) connection communications path between thefirst processing system and the second processing system that includesthe first routing node and the second routing node, receiving aplurality of data packets into the first routing node, encrypting all ofthe received packets, without regard to any indication in the receivedpackets, to form encrypted packets, sending the encrypted packets fromthe first routing node to the second routing node, receiving theencrypted packets into the second routing node, decrypting all of thereceived encrypted packets, without regard to any indication in thereceived encrypted packets, to form decrypted packets, and sending thedecrypted packets from the second routing node to a destination in thesecond processing system.

In some embodiments, to support a communications network, the firstprocessing system includes one or more control processors, one or moreaccess processors, and one or more processing processors.

In some embodiments, for a first customer, a virtual router forms thefirst routing node in the first processing system and is operablyconnected to a virtual router that forms the second routing node in thesecond processing system.

In some embodiments, for each of a plurality of customers, a virtualprivate network is formed using a virtual encrypting router formed inthe first processing system and operably connected to a virtualdecrypting router formed in the second processing system.

In some embodiments, establishing the first routing node in the firstprocessing system includes connecting a plurality of processors in aring configuration.

In some embodiments, the connecting the plurality of processorscomprises connecting the plurality of processors in a ringconfiguration, and wherein the connecting a plurality of processors inthe ring configuration includes forming dual counter rotating ringconnections, each connecting to each of the plurality of processors.

Yet another aspect of the present invention provides a system ofdelivering security services. This system includes a first processingsystem, a second processing system, and means for establishing a secureconnection between the processors across an Internet protocol (IP)connection to a second processing system to form a tunnel, wherein thesecure connection encrypts all packets going into the tunnel anddecrypts all packets coming from the tunnel.

In some embodiments, to support a communications network, the firstprocessing system includes one or more control processors, one or moreaccess processors, and one or more processing processors.

In some embodiments, for each of a plurality of customers, a virtualrouter is formed in the first processing system and is operablyconnected to a virtual router formed in the second system.

In some embodiments, for each of a plurality of customers, a virtualprivate network is formed using an encrypting virtual router formed inthe first processing system and operably connected to a decryptingvirtual router formed in the second system.

In some embodiments, the one or more control processors, the one or moreaccess processors, and the one or more processing processors areconnected by dual counter-rotating ring connections, each connecting toeach of the plurality of processors.

Still another aspect of the present invention provides a system 1500 ofdelivering security services, This system includes a first processingsystem 1510, a second processing system 1520, and a first routing node1515 within the first processing system, and a second routing node 1525within the second processing system, wherein the first routing node 1515encrypts all packets routed to it and forwards encrypted packets to thesecond routing node 1525, and the second routing node 1525 decrypts theencrypted packets sent from the first routing node and sends thedecrypted packets from the second routing node to a destination 1402 inthe second processing system 1520.

In some embodiments of system 1500, to support a communications network,the first processing system includes one or more control processors, oneor more access processors, and one or more processing processors.

In some embodiments of system 1500, for each of a plurality ofcustomers, an encrypting virtual router 1511 is formed in the firstprocessing system 1510 and is operably connected to a decrypting virtualrouter 1521 formed in the second processing system 1520.

In some embodiments of system 1500, for each of a plurality ofcustomers, a virtual private network is formed using an encryptingvirtual router formed in the first processing system and operablyconnected to a decrypting virtual router formed in the second system.

Some embodiments of system 1500 include one or more control processors,one or more access processors, and one or more processing processorsconnected in a ring configuration that includes dual counter rotatingring connections, each connecting to each of these plurality ofprocessors.

Some embodiments further include a first virtual router in the firstprocessing system that receives packets to be sent and routes suchpackets to the first routing node for encryption. Some embodimentsfurther include a second virtual router in the second processing systemthat receives packets from the second routing node after decryption androutes such packets towards a destination.

It is understood that the above description is intended to beillustrative, and not restrictive. Many other embodiments will beapparent to those of skill in the art upon reviewing the abovedescription. The scope of the invention should, therefore, be determinedwith reference to the appended claims, along with the full scope ofequivalents to which such claims are entitled.

1. A method comprising: receiving, at a service management system (SMS)of a managed security service provider, a request to establish anInternet Protocol (IP) connection between a first location of a firstsubscriber of a plurality of subscribers of the managed security serviceprovider and a second location of the first subscriber; and establishinga tunnel between a first service processing switch of the managedsecurity service provider and a second service processing switch of themanaged security service provider coupled in communication with thefirst service processing switch through a public network by associatinga first packet routing node within the first service processing switchwith the first location; associating a second packet routing node withinthe second service processing switch with the second location; bindingan encryption configuration decision associated with the request with arouting configuration of the first packet routing node, by, when therequest is to establish a secure IP connection, configuring, the firstpacket routing node (i) to cause all packets transmitted from the firstlocation to the second location to be encrypted prior to transmissionthrough the public network and (ii) to cause all packets received fromthe second location to be decrypted after transmission through thepublic network; and binding the encryption configuration decision with arouting configuration of the second packet routing node, by, when therequest is to establish a secure IP connection, configuring, the secondpacket routing node (i) to cause all packets transmitted from the secondlocation to the first location to be encrypted prior to transmissionthrough the public network and (ii) to cause all packets received fromthe first location to be decrypted after transmission through the publicnetwork.
 2. The method of claim 1, wherein the first packet routing nodecomprises a virtual router of a plurality of virtual routers runningwithin the first service processing switch.
 3. The method of claim 1,wherein the second packet routing node comprises a virtual router of aplurality of virtual routers running within the second serviceprocessing switch.
 4. The method of claim 1, wherein the tunnel isformed using a first virtual encrypting router running in the firstservice processing switch coupled to a first virtual decrypting routerrunning in the second service processing switch and a second virtualencrypting router running in the second service processing switchcoupled to a second virtual decrypting router running in the firstservice processing switch.
 5. The method of claim 1, wherein the requestto establish the IP connection is received by the SMS from a customernetwork management (CNM) system of the first subscriber.
 6. The methodof claim 1, wherein the request to establish the IP connection isreceived by the SMS via a user interface associated with the SMS.
 7. Asystem operable by a managed security service provider, the systemcomprising: a service management system (SMS) configured to operatewithin a service provider network; a first service processing switchconfigured to operate within the service provider network; a secondservice processing switch configured to operate within the serviceprovider network and to be coupled to the first service processingswitch via a public network; wherein the SMS is further configured to:receive a request to establish an Internet Protocol (IP) connectionbetween a first location of a first subscriber of a plurality ofsubscribers of the managed security service provider and a secondlocation of the first subscriber; and cause a tunnel to be establishedbetween the first service processing switch and the second serviceprocessing switch by causing a first packet routing node within thefirst service processing switch to be associated with the firstlocation; causing a second packet routing node within the second serviceprocessing switch to be associated with the second location; causing anencryption configuration decision associated with the request to bebound with a routing configuration of the first packet routing node, by,when the request is to establish a secure IP connection, configuring,the first packet routing node (i) to cause all packets transmitted fromthe first location to the second location to be encrypted prior totransmission through the public network and (ii) to cause all packetsreceived from the second location to be decrypted after transmissionthrough the public network; and causing the encryption configurationdecision to be bound with a routing configuration of the second packetrouting node, by, when the request is to establish a secure IPconnection, configuring, the second packet routing node (i) to cause allpackets transmitted from the second location to the first location to beencrypted prior to transmission through the public network and (ii) tocause all packets received from the first location to be decrypted aftertransmission through the public network.
 8. The system of claim 7,wherein the first packet routing node comprises a virtual router of aplurality of virtual routers running within the first service processingswitch.
 9. The system of claim 7, wherein the second packet routing nodecomprises a virtual router of a plurality of virtual routers runningwithin the second service processing switch.
 10. The system of claim 7,wherein the tunnel is formed using a first virtual encrypting routerrunning in the first service processing switch coupled to a firstvirtual decrypting router running in the second service processingswitch and a second virtual encrypting router running in the secondservice processing switch coupled to a second virtual decrypting routerrunning in the first service processing switch.
 11. The system of claim7, wherein the request to establish the IP connection is received by theSMS from a customer network management (CNM) system of the firstsubscriber.
 12. The system of claim 7, wherein the request to establishthe IP connection is received by the SMS via a user interface associatedwith the SMS.
 13. A non-transitory computer-readable storage mediumtangibly embodying a set of instructions, which when executed by one ormore processors of a service management system (SMS) of a managedsecurity service provider, cause the one or more processors to perform amethod comprising: receiving a request to establish an Internet Protocol(IP) connection between a first location of a first subscriber of aplurality of subscribers of the managed security service provider and asecond location of the first subscriber; and causing to be established atunnel between a first service processing switch of the managed securityservice provider and a second service processing switch of the managedsecurity service provider coupled in communication with the firstservice processing switch through a public network by causing a firstpacket routing node within the first service processing switch to beassociated with the first location; causing a second packet routing nodewithin the second service processing switch to be associated with thesecond location; causing an encryption configuration decision associatedwith the request to be bound with a routing configuration of the firstpacket routing node, by, when the request is to establish a secure IPconnection, configuring, the first packet routing node (i) to cause allpackets transmitted from the first location to the second location to beencrypted prior to transmission through the public network and (ii) tocause all packets received from the second location to be decryptedafter transmission through the public network; and causing theencryption configuration decision to be bound with a routingconfiguration of the second packet routing node, by, when the request isto establish a secure IP connection, configuring, the second packetrouting node (i) to cause all packets transmitted from the secondlocation to the first location to be encrypted prior to transmissionthrough the public network and (ii) to cause all packets received fromthe first location to be decrypted after transmission through the publicnetwork.
 14. The computer-readable medium of claim 13, wherein the firstpacket routing node comprises a virtual router of a plurality of virtualrouters running within the first service processing switch.
 15. Thecomputer-readable medium of claim 13, wherein the second packet routingnode comprises a virtual router of a plurality of virtual routersrunning within the second service processing switch.
 16. Thecomputer-readable medium of claim 13, wherein the tunnel is formed usinga first virtual encrypting router running in the first serviceprocessing switch coupled to a first virtual decrypting router runningin the second service processing switch and a second virtual encryptingrouter running in the second service processing switch coupled to asecond virtual decrypting router running in the first service processingswitch.
 17. The computer-readable medium of claim 13, wherein therequest to establish the IP connection is received by the SMS from acustomer network management (CNM) system of the first subscriber. 18.The computer-readable medium of claim 13, wherein the request toestablish the IP connection is received by the SMS via a user interfaceassociated with the SMS.